CVE-2021-41184
ADVISORY - githubSummary
Impact
Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
my: "left top",
at: "right bottom",
of: "<img onerror='doEvilThing()' src='/404' />",
collision: "none"
} );
will call the doEvilThing() function.
Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.
Workarounds
A workaround is to not accept the value of the of option from untrusted sources.
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Common Weakness Enumeration (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
NIST
2.8
CVSS SCORE
6.5mediumGitHub
2.8
CVSS SCORE
6.5mediumDebian
-
Ubuntu
2.8
CVSS SCORE
6.1mediumBitnami
BIT-2021-41184
-
CVSS SCORE
N/AmediumBitnami
BIT-drupal-2021-41184
2.8
CVSS SCORE
6.1mediumRed Hat
2.8
CVSS SCORE
6.5mediumintheWild
-
-